CIO Insights and Analysis from DeloitteCONTENT FROM OUR SPONSORPlease note: The Wall Street Journal News Department was not involved in the creation of the content below.

Text Size

Regular

Medium

Large

Google+

Print

Creating a Risk Intelligent Culture

Two specialists in enterprise risk reveal steps CIOs and other leaders can take to help jump-start their risk management programs.

Though many organizations spend years developing and implementing risk management frameworks, policies, procedures, and sophisticated technologies, some still struggle to manage risk effectively. Why? Often, they have the right infrastructure in place, but their risk culture is weak. No matter how good the risk infrastructure, risk management is ultimately a people issue.

Forward thinking companies have developed a “Risk Intelligent” culture that engages people throughout the enterprise in their risk management efforts. Two risk specialists—Scott Baret, a partner and global financial services leader with Deloitte & Touche LLP’s Enterprise Risk Services, and Eddie Barrett, a director and risk culture leader for Financial Services at Deloitte Consulting LLP—share their insights on how CEOs, CIOs, and other business leaders can help shore up their organizations’ risk cultures.

What does it mean to have a Risk Intelligent culture?

Scott Baret: It may help to consider the difference between a risk culture, in which organizations are generally aware of the major risks they face, and a Risk Intelligent culture, which requires planning and focused effort. Leaders should actively shape their risk culture into something purposeful that is aligned with their business strategy—and where each employee understands how to make the right risk-based decisions.

Who is responsible for an organization’s risk culture?

Eddie Barrett: In a Risk Intelligent organization, everyone understands the organization’s approach to risk and they take personal responsibility for managing risk every day. That’s part of the definition of Risk Intelligence. At the same time, there are a handful of people who typically have elevated responsibilities for risk culture. The CEO usually takes the lead on risk culture, with input and support from the Chief Human Resources Officer, Chief Risk Officer, key business leaders and increasingly, the CIO. We are also seeing the Board assume responsibility for risk culture, as the importance of people and culture in preventing major missteps becomes more apparent.

What can companies can do to strengthen risk culture?

Eddie Barrett: At a high level, there are four main areas companies should be prepared to take on. First, efforts to change the risk culture often begin with building risk competence among existing and new employees through training. Companies should also focus on how people are motivated to manage risks —starting with incentives, rewards, and performance management. Performance management should have a very clear connection to the organizations risk culture objectives. Also look to strengthen relationships within the organization—peer-to-peer, leader-to-leader, you name it. Stronger relationships may enhance the communication and collaboration required to create and sustain effective risk management initiatives. And finally, the organization itself is often the culprit. From compliance and procedures to ethical expectations and governance, companies should be prepared to set organization-wide changes in motion.

What role should CIOs play in these efforts?

Scott Baret: CIOs should understand various types of risk: risk inside their IT operation; risks facing the broader organization; risks in the use and deployment of technology; and strategic risk. Of these, the last is often the most neglected. Yet the task of leveraging technology to gather business information that can provide insights into the management of strategic risks should rank among the most important.

Eddie Barrett: Often, there is a lack of alignment between IT and the business that hampers the CIO’s mission. Today’s CIOs should not allow that. They should establish IT priorities, processes, and projects to fully align with the needs and risks of the organization.

Changing an organization’s culture is a big undertaking. Where should you start?

Eddie Barrett: We often find that while company leaders know they have a problem with risk culture, they can’t put their finger on exactly where or what the problem is. So while it is tempting to dive in and start making changes, it makes sense to begin with an assessment of your current risk culture. Find out where your strengths and weaknesses are—the facts, not just intuition—and build out a prioritized action plan from there.

If an organization already has a risk management function and other controls in place, does it make sense to evaluate its risk culture?

Scott Baret: Given the level of scrutiny regarding risk culture we’re seeing from regulators, investors, shareholders, and, increasingly, the general public, simply being able to point to risk infrastructure is not enough. These audiences want to see tangible evidence of cultural change.

In that sense, risk culture is an important safety net. No matter what risk frameworks, policies, procedures or technologies you might have in place, or be missing, in the face of an unexpected challenge, an organization that has built a Risk Intelligent culture is more likely to respond in the right way to the unexpected – process will follow culture.

Editors Choice

Artificial intelligence may be one of the hottest topics in the business world today, but it’s also surrounded by numerous myths. Early adopters surveyed for a new Deloitte study shed some light on the technology’s true potential, including dispelling some of the most persistent misconceptions.

How can CIOs rise to meet the challenges of aligning technology initiatives to business strategy when they are bogged down in the day-to-day details of managing IT operations? Kim Stevenson, SVP and general manager of data center infrastructure at Lenovo, describes four ways CIOs can raise business expectations of IT and increase their influence on business strategy.

CIOs with a bold vision can transform IT operations with emerging technologies and demonstrate to other leaders how to do the same across the enterprise, says Bill Briggs, CTO of Deloitte Consulting LLP. By providing business context that can help their peers understand and evaluate technology’s potential, CIOs can help drive enterprisewide business transformation.

About Deloitte Insights

Deloitte Insights for CIOs couples broad business insights with deep technical knowledge to help executives drive business and technology strategy, support business transformation, and enhance growth and productivity. Through fact-based research, technology perspectives and analyses, case studies and more, Deloitte Insights for CIOs informs the essential conversations in global, technology-led organizations. Learn more